WO 2007/076624 



PCT/CN2005/002386 



1/9 



8- 



VL 
LU 

tH 

a. 
al 

LU 



CO 

O 
O 



















o 
i- 




TIO 


• • • 


o 




o 




z 




z 




ZD 

























o < 



O 

H IX! 
< X 

O 















LU 




X 




X 












1 
















z 
o 




ION 


• • • 










§ 








TRANS 




TRANS 





CM, 



'7 

CO 



I 
1 

I 
I 



o 

yZ LU 

< ^ 

< W 

tr: 



CO 

'•v o 







o 


LU 


H 




ECU 


ENGI 


EX 





CM 




T 



o 
o 



o 




WO 2007/076624 



PCT/CN2005/002386 



2/9 



1 




RECEIVE IN A VIRTUAL MACHINE CONTENTS OF A 
PROGRAM FOR CREATING A VIRTUAL 
ENVIRONMENT FOR INTERACTING WITH A HOST 
PLATFORM IN A COMPUTING DEVICE 


1 


r 


DETERMINE BY THE VIRTUAL MACHINE IF THE 
RECEIVED CONTENTS COMPRISES PREDETERMINED 
INSTRUCTIONS FOR PERFORMING AT LEAST ONE 
UNAUTHORIZED TASK 


1 


f 



210 



-220 



END 



230 



FIG. 2A 



WO 2007/076624 



PCT/CN2005/002386 



3/9 



START 



• 200 



r 



LOAD THE RECEIVED CONTENTS OF THE PROGRAM IN 
THE VIRTUAL MACHINE 



|~210 




WO 2007/076624 



PCT/CN2005/002386 



4/9 



START 



,300 



1 


' — 1 


SEARCH PREDETERMINED LOCATI 
OF THE PROGRAM FOR THE PR 


ONS OF THE RECEIVED CONTENTS 
EDETERMINED INSTRUCTIONS 



-310 



COMPARE THE CONTENTS OF THE PROGRAM TO AT LEAST ON* 
PREDETERMINED INSTRUCTION PATTERNS CORRESPONDING TO THE 
PREDETERMINED INSTRUCTIONS FOR PERFORMING THE 

AT LEAST ONE UNAUTHORIZED TASK 



• 320 



PURGE THE PREDETERMINED INSTRUCTIONS FROM 
THE RECEIVED CONTENTS 




r 



330 



FIG. 3 



WO 2007/076624 



PCT/CN2005/002386 



-400 



YES 



TRANSLATION 
CACHE CORRESPONDING TO 
THE VALUE IN IP 
EXISTS?^ 

LNO 



-410 



INVOKE THE TRANSLATION ENGINE BY THE 
EXECUTION ENGINE 



-420 



I 



INVOKE THE DETECTION SUBSYSTEM BY THE 
TRANSLATION ENGINE 



-430 



TRAVERSE CODE FRAGMENTS 



I 



J- 440 



COMPARE THE TRAVERSED CODE WITH THE 
CODE PATTERNS OF MALICIOUS CODE 



-450 




NO 



470 



PURGE THE MALICIOUS CODE 
FROM THE TRAVERSED CODE FRAGMENT 



YES 




NO 



480 



GENERATE TRANSLATION CACHE FOR THE 
TRAVERSED CODE FRAGMENTS 



485 



I 



490 



DIRECT THE CONTROL TO THE 
TRANSLATION CACHE CORRESPONDING TO IP 

j .495 



RETURN 



FIG 



WO 2007/076624 



PCT/CN2005/002386 



6/9 



START 



500 



CHECK A BRANCH TARGET AT THE 
OUTLETS OF THE TRANSLATION CACHE 



520 



YES 



BRANCH TARGET 
COMPRISES A TRANSLATION 
CACHE? 



•540 



YES 



BRANCH TARGET 
COMPRISES THE EXECUTION 
ENGINE? 



■550 



NO 



RETURN 



MALICIOUS CODE DETECTED 






DIRECT THE CC 
EXECUTIC 


>NTROL TO THE 
)N ENGINE 



-560 



.570 



580 



FIG. 5 



WO 2007/076624 



PCT/CN2005/002386 



7/9 



START 



•600 



INVOKE THE DETECTION SUBSYSTEM BY THE 
EXECUTION ENGINE 



K-610 



TRAVERSE CODE FRAGMENTS 



--620 



I 



COMPARE THE TRAVERSED CODE WITH THE 
CODE PATTERNS OF MALICIOUS CODE 



^630 




NO 



650 
( 



PURGE THE MALICIOUS CODE 
FROM THE TRAVERSED CODE FRAGMENT 



YES 




DECODE THE INSTRUCTION IP POINTS TO 



690 
> 



DIRECT THE CONTROL TO CORRESPONDING 
INTERPRETER FUNCTION BY EXECUTION ENGINE 



695 



DIRECT THE CONTROL TO THE EXECUTION ENGINE 
WITH THE UPDATED IP UPON COMPLETION OF 
EXECUTION BY THE INTERPRETER FUNCTION 



J. 



RETURN 




FIG. 6 



WO 2007/076624 



PCT/CN2005/002386 



8/9 



START 



~>-W00 



RECEIVE A SYSTEM CALL FOR A HOST PLATFORM IN COMMUNICATION 
WITH A VIRTUAL MACHINE OF A COMPUTING DEVICE 



-710 



DETERMINE BY THE VIRTUAL MACHINE IF THE RECEIVED SYSTEM 
CALL COMPRISES AT LEAST ONE PREDETERMINED SYSTEM CALL FOR 
PERFORMING UNAUTHORIZED TASKS 



.720 



END 



730 



FIG. 7A 



START _>^750 



y 




COMPARE THE SYSTEM CALL TO 
PATTERNS CORRESPONDING TO 
CALLS FOR PERFORMINC 


PREDETERMINED SYSTEM CALL 
THE PREDETERMINED SYSTEM 
i UNAUTHORIZED TASKS 




RETURN 3>-770 



FIG. 7B 



WO 2007/076624 



PCT/CN2005/002386 



9/9 



START 



800 



RECEIVE A VIRTU ALIZED MEMORY ADDRESS FOR A 
HOST PLATFORM IN COMMUNICATION WITH A VIRTUAL MACHINE 

OF A COMPUTING DEVICE 



810 



DETERMINE BY THE VIRTUAL MACHINE IF THE RECEIVED 
VIRTU ALIZED MEMORY ADDRESS COMPRISES AT LEAST ONE 
PREDETERMINED UNAUTHORIZED VIRTUALIZED MEMORY ADDRESS 



•820 



END 



•830 



FIG. 8A 



START 



-850 



I 



DETERMINE IF THE VIRTUALIZED MEMORY ADDRESS IS IN A MEMORY 
SPACE AVAJLABLE TO THE TRANSLATION CACHE 



-860 



DETERMINE IF THE VIRTUALIZED MEMORY ADDRESS IS IN A MEMORY 
SPACE AVAILABLE TO THE AT LEAST ONE INTERPRET FUNCTION 



870 



I 



DETERMINE IF THE VIRTUALIZED MEMORY ADDRESS IS IN A MEMORY 
SPACE MEMORY REGIONS STORING AT LEAST ONE OF INSTRUCTIONS 
AND DATA FOR OPERATIONS OF THE VIRTUAL MACHINE 



880 



I 



RETURN 



890 



FIG. 8B 



